NAI Code Compliance and Enforcement: How It Works
As we celebrate our 15th anniversary, we at the NAI are most proud of our ongoing tradition of strong self-regulation which ensures responsible data collection and its use for digital advertising.
From time to time, we get questions about how we make sure that our members comply with the standards in our NAI Code.
At NAI, we know that self-regulation only works if the standards are backed by robust enforcement. Without ongoing compliance and robust enforcement, self-regulation principles aren’t worth the paper on which they’re written.
In this blog post, we’ll break down our compliance process into a series of six steps:
Step 1: The compliance process begins long before NAI members even join our organization.
When a company seeks membership in NAI, the applicant faces a detailed evaluation. The NAI staff examines the applicant’s practices for data collection, use, retention, and sharing. Further, the staff looks at relevant disclosures and affirmations of contractual provisions and also reviews the applicant’s choice mechanisms, including testing the technical functionality of the applicant’s opt-out mechanisms.
Through this review, the NAI staff is able to highlight items that need to be addressed before a company can become an NAI member. Sometimes the staff provides guidance to the applicant and gives perspective on practices to help companies go above and beyond the requirements of the Code.
The admission process doesn’t end there. Once the NAI staff review is complete, a recommendation is sent to NAI Board of Directors. Board members review the application — and often request additional information — before voting on accepting a new member.
All of that happens before a company is even admitted as an NAI member!
Step 2: Monitoring and open dialogue characterize the relationship between NAI staff and member companies.
Once a company passes the hurdles to membership in NAI, the NAI staff continues to monitor the company’s practices on a regular basis.
Throughout the year, the NAI staff uses a technical monitoring tool to monitor our members’ opt out mechanisms, gathering data on members’ opt-out functionality and reliability. The NAI staff uses reports from this tool to identify and address potential problems with member opt-out mechanisms.
In addition, NAI utilizes a state-of-the-art privacy policy scanner that checks member webpages on a regular basis. It alerts the NAI staff of changes to members’ privacy policies. The NAI staff then reviews these revisions or updates against members’ transparency and notice requirements under the Code.
NAI is not simply monitoring from afar. The NAI staff is in constant communication with members, helping them to resolve problems and develop innovative new business models within the parameters of the Code. A unique aspect of NAI is our commitment to being constantly available to our members and to working with them to address issues as they arise.
Step 3: Every NAI Member undergoes a rigorous annual compliance review by NAI staff.
A critical portion of the NAI’s compliance and enforcement process is the annual compliance review. The NAI staff works with members to complete an annual compliance review to help members ensure that they continue to comply with the Code – even as their business models evolve.
The first step of the annual compliance review requires that members submit written responses to a detailed questionnaire provided to them by the NAI staff. The questionnaire requires members to describe their business practices and policies on the collection and use of data for Interest-Based Advertising purposes. Where relevant, the questionnaire also requests that members provide supporting documentation such as marketing materials or contracts.
A minimum of two NAI staff members review each member’s submitted materials to assess compliance with the Code.
Following the review of questionnaire submissions and other supporting materials, at least two NAI staff members interview representatives – including technical experts – from each member company for an in-depth analysis.
As a final step in the annual compliance review, members are required to attest in writing to their ongoing compliance with the Code.
Step 4: Compliance is measured and made available to regulators and the public in the NAI Annual Compliance Report.
Ongoing analysis of member activities culminates every year in the production of the Annual Compliance Report – a summary of NAI’s compliance program in a given year. Through the publication of the Annual Compliance Report, consumers, regulators and others gain visibility into the NAI’s compliance program and self-regulatory process.
Step 5: Investigations are launched when necessary.
Of course, NAI takes any instances of possible non-compliance with the Code seriously. We provide a central site for consumers to ask questions and raise concerns about members’ compliance. The NAI staff reviews and, if warranted, investigates these complaints.
The NAI staff also investigates other instances of possible non-compliance with the Code discovered by staff, or brought to the staff’s attention by others, including by regulators or other NAI members.
The full NAI compliance team, consisting of attorneys and technologists, investigates questions of purported non-compliance with the Code. This review includes determining if an alleged practice is covered by the Code, and which, if any, provisions of the Code may have been violated.
For minor technical or disclosure mistakes, NAI’s goal is to rectify the problem as soon as we become aware of it. For example, we do not name a company if we find that a member appears to have a technical glitch with its opt out through the technical monitoring tool, or through a consumer complaint, if we do not deem it a material violation of the Code.
Step 6: Sanctions.
If the NAI staff finds during any of the compliance processes that a member has materially violated the Code, then they may refer the matter to the Board of Directors with a recommendation for sanctions. The member company may be given the opportunity to address the Board and respond to a staff finding of non-compliance.
If the NAI Board also determines that a member has materially violated the Code, they may impose sanctions, including suspension or a revocation of membership. If warranted, the Board may also refer the matter to the Federal Trade Commission.
NAI takes a proactive approach to compliance, helping members address issues before they become a significant problem. NAI’s standards are backed by strong enforcement mechanisms. And our constant communication strategy helps us ensure members’ compliance with the NAI Code in a way that is most efficient and effective.
This is how self-regulation works and works well.